Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client certificate expiration seconds must greater or qual to 3600 #149

Merged
merged 1 commit into from
Jun 7, 2023
Merged

client certificate expiration seconds must greater or qual to 3600 #149

merged 1 commit into from
Jun 7, 2023

Conversation

youhangwang
Copy link
Contributor

@youhangwang youhangwang commented May 30, 2023
edited
Loading

In PR: open-cluster-management-io/registration#312, a option --client-cert-expiration-seconds was exposed so that a user can specify a expiration seconds for the client cert. And we use the minimum value of expiration time in CSR - 10min to check if the expiration time is validated.

However, for the clientCertificateController in registration, 600 is too short:

  1. clientCertificateController to check if cert is expired every 5min.
  2. kubeclient resync the client cert every 5min.
  3. clientCertificateController will refresh the cert if the cert has less than a random percentage range from 20% to 25% of its life remaining.

so the minimum expiration second would be (5 * 60)/(1/5) = 1500s for clientCertificateController. otherwise, the kube client will use a expired client cert to send request to the remote cluster.

Considering to add some margin. 1h(3600s) could be a good choice.

@openshift-ci openshift-ci bot requested review from deads2k and jnpacker May 30, 2023 06:33
@youhangwang youhangwang force-pushed the increase-ClientCertExpirationSeconds branch from a2bd60f to f147fb1 Compare May 30, 2023 06:34
@youhangwang youhangwang mentioned this pull request May 30, 2023
Closed
@qiujian16
Copy link
Member

hrm, seems there is some issue with operator e2e...I am looking at it.

@qiujian16
Copy link
Member

@youhangwang would you rebase the PR, there was a bug in the code that is fixed in #150

clyang82 pushed a commit to clyang82/ocm that referenced this pull request Jun 2, 2023
@zhujian7 @qiujian16
move apply method to seperate package (open-cluster-management-io#149)
787d7c5 
* move apply method to seperate package

Signed-off-by: Jian Qiu <jqiu@redhat.com>

* make sure the update apply func returns existing object

Signed-off-by: zhujian <jiazhu@redhat.com>

Signed-off-by: Jian Qiu <jqiu@redhat.com>
Signed-off-by: zhujian <jiazhu@redhat.com>
Co-authored-by: Jian Qiu <jqiu@redhat.com>
client certificate expiration seconds must greater or qual to 3600
d494916 
Signed-off-by: johan <wangyouhang@ibm.com>
@youhangwang youhangwang force-pushed the increase-ClientCertExpirationSeconds branch from f147fb1 to d494916 Compare June 7, 2023 03:29
@codecov
Copy link

codecov bot commented Jun 7, 2023
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (main@6f21760). Click here to learn what that means.
Patch has no changes to coverable lines.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #149   +/-   ##
=======================================
  Coverage        ?   58.42%           
=======================================
  Files           ?      107           
  Lines           ?    11847           
  Branches        ?        0           
=======================================
  Hits            ?     6922           
  Misses          ?     4254           
  Partials        ?      671
Flag Coverage Δ
unit 58.42% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@youhangwang
Copy link
Contributor Author

@qiujian16 branch was rebased on the main branch

@qiujian16
Copy link
Member

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jun 7, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 7, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qiujian16, youhangwang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Jun 7, 2023
@openshift-merge-robot openshift-merge-robot merged commit a51a112 into open-cluster-management-io:main Jun 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@jnpacker jnpacker Awaiting requested review from jnpacker

Assignees

@qiujian16 qiujian16

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@youhangwang @qiujian16 @openshift-merge-robot